URL Spoofing on Safari Browsers

An IT security researcher based in Pakistan named Rafay Baloch has just uncovered a critical weakness that could allow fraudsters to spoof website addresses in the Microsoft Edge web browser for Windows and Apple Safari for iOS.

While Microsoft secured this weakness last month as part of its monthly security updates release, Safari is still unpatched, potentially leaving Apple users susceptible to phishing attacks.

Phishing attacks today are becoming frequent and it’s become so sophisticated and increasingly more difficult to spot. And this newly discovered vulnerability takes it to a whole new level that can completely bypass basic indicators like URL and SSL, which are the first two things a user checks to determine if a website is legitimate or fake.

The vulnerability (CVE-2018-8383) is due to a race condition type issue caused by the web browser permitting the JavaScript to update the page address in the URL bar while the page is loading.

Here’s how the URL Spoofing Works as described by Baloch:

“Successful corruption and manipulation of the weakness could potentially allow an attacker to initially start loading a legitimate page, which would cause the page address to be displayed in the URL bar, and then quickly replace the code in the web page with a malicious and fraudulent one.”

“Upon requesting data from a non-existent port the address was preserved and hence a due to race condition over a resource requested from non-existent port combined with the delay induced by setInterval function managed to trigger address bar spoofing,” Baloch explains.

“It therefore causes the browser to preserve the address bar and to load the content from the spoofed page. The browser will eventually load the resource, however the delay induced with setInterval function would be enough to trigger the address bar spoofing.”

Since the URL / address displayed in the address bar does not change, the phishing attack would be difficult for even a trained user to detect or notice.

Using this vulnerability, a fraudster can fully imitate any web page, including Gmail, Facebook, Twitter, or even official bank websites, and create fake login screens or other forms to unknowingly retrieve credentials and other personal data from users, who see the legitimate domain in the address bar.

Incidentally, both Google Chrome and Mozilla Firefox web browsers are not affected by this vulnerability.

And while Microsoft had already patched the issue last month with its released security patch last Tuesday, Apple has yet to release any patches or release a statement on what they plan to do regarding this threat.

About the author

Leave a Reply

Categories